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DETAILED ACTION 

Applicant's election without traverse of group I (claims 1-2, 4-13, 15-19, 21-30, 
32-34, and 40) in the reply filed on 4/2/2007 is acknowledged. 

Information Disclosure Statement 

Applicant submitted IDS's on 8/23/06, 2/9/07, and 2/22/07. Most of the 
documents were considered. The foreign documents listed on the IDS submitted on 
8/23/06. were not considered because copies of the documents were not provided to the 
examiner as required by 37 CFR 1 .98(a)(2). 

Response to Amendment and Arguments 

Applicant's amendments and arguments were fully considered, but are moot in 
view of new rejections made below made in response to the amendments. 

Claim Objections 

Claims 1 and 18 are objected to because of the following informalities: The 
examiner respectfully suggests consistent usage of "said" and "the" when referring to 
the same item. For instance, claim 1 recites, "said" security service" and "the security" 
service, which the examiner is assuming is meant to refer to the same security service. 
Claim 18 contains similar informalities with various terms, i.e. protected resource. 
Appropriate correction is required. 

Claim Rejections - 35 USC §112 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 
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The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

Claims 1-2, 4-13, 15-19, 21-30, 32-34, and 40 are rejected under 35 U.S.C. 112, 

second paragraph, as being indefinite for failing to particularly point out and distinctly 

claim the subject matter which applicant regards as the invention. 

1. Claim 1 recites "the access request" in line 10. It is unclear to which access 
request is being referred, the one in lines 4-5 or the one in line 6. 

2. Claim 1 recites "the security service" in line 4, which lacks antecedent basis. 

3. Claim 18 recites "a protected resource" in both lines 1 and 8. It is unclear to 
which protected resource is being referred with later recitation of "the protected 
resource". 

4. Claims not specifically addressed are rejected due to dependency on claims 1 
and 18. 

Claim Rejections - 35 USC § 102/103 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in (1) an application for patent, published under section 122(b), by 
another filed in the United States before the invention by the applicant for patent or (2) a patent 
granted on an application for patent by another filed in the United States before the invention by the 
applicant for patent, except that an international application filed under the treaty defined in section 
351 (a) shall have the effects for purposes of this subsection of an application filed in the United States 
only if the international application designated the United States and was published under Article 21(2) 
of such treaty in the English language. 
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The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 1 02 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1,13, 15-18, 30, and 32-34 are rejected under 35 U.S.C. 102(e) as 
anticipated by Sampson et al (US 6,339,423) or, in the alternative, under 35 
U.S.C. 103(a) as obvious over Sampson et al (US 6,339,423) in view of Sharma (US 
7,089,584). 
Claims 1 and 18: 

As per claim 1, Sampson discloses: 

1 . An application container, i.e. browser, which provides services for a protected 
resource, wherein the application container delegates authorization decisions to 
a security service by passing an access request to the security service when the 
application container receives an access request for a protected resource from a 
client (col 4, line 22-coI 5, line 2). 

2. Context information, wherein the context information comprises one or more 
parameter values describing the access request and can be retrieved from the 
application container by the security service (col 7, lines 23-50). 

3. Said security service for making a decision to permit or deny the access request, 
wherein the security service includes a plurality of security providers that may be 
plugged into the security service (col 5, lines 6-23; col 6, lines 48-55; and Fig 2, 
items 240, 260, 280, and 220), and wherein depending on output from each 
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security provider the security service determines entitlement for the client to use 
with the protected resource (col 6, line 57-col 8, line 59). 77?e cited columns 
describes how each component of the security service interacts with each other 
to determine whether or not to approve a request to a resource sent from a 
browser. The decision is dependent on the output from each component and the 
resulting access control cookies determines the privileges/entitlements of the 
browser and the client using the browser. 

4. Said security service is located at a first computer, and said protected resource is 
located either at the same first computer or at a second computer (col 6, lines 21- 
35). 

5. A resource interface for communicating permitted access requests to said 
protected resource (col 8, lines 52-59 and col 11, lines 10-40). 

Sampson does not explicitly disclose the application handler sending a callback 
handler to the security service, the security service using the callback handler, and 
wherein the plurality of security providers use the callback handler to request context 
information from the application container for the access request. However, a callback 
handler is code that is executed based on an event. Note that Sampson discloses that 
the security services and the plurality of security providers which makes up the security 
services is able to cause the browser to redirect and connect to various servers as well 
as require the user of the browser to authenticate, i.e. provide context information (col 5, 
lines 47-49 and col 7, line 23-col 8, line 31). Though the term "callback handler" is not 
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explicitly used in describing the servers controlling the browser's action, what is 
described in the cited sections reads on sending a callback handler to the security 
service, the security service using the callback handler, and wherein the plurality of 
security providers use the callback handler to request context information from the 
application container, i.e. browser, for the access request. As such, claim 1 is 
unpatentable under 35 USC 1 02(e) over Sampson. 

Alternatively, note that Sharma discloses use of sending a callback handler to the 
security service, the security service using the callback handler to request context 
information from the application container for the access request (col 11, lines 51-56; 
col 12, lines 51-56; and col 19, lines 53-56). At the time applicant's invention was 
made, it would have been obvious to one of ordinary skill in the art to incorporate 
Sharma's teachings within Sampson's invention according to the limitations recited in 
claim 1. One skilled would have been motivated to do so because Sharma's teachings 
would keep security architecture technology neutral and enable a specified security 
contract to be supported by various security technologies (Sharma: col 5, line 64-col 6, 
line 2): One skilled would be further motivated to do so because use of callback 
handlers as taught by Sharma would enable retrieval of authentication data and EIS 
instance specific information (Sharma: col 20, lines 13-15). 

Claim 18 is directed towards a method implemented using the security system of 
claim 1 and thus is rejected for substantially the same reasons given in claim 1. 
Claims 13 and 30: 
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Sampson further discloses wherein the resource interface includes an interface 
mechanism to pass access requests to or from a protected resource (Fig 2; col 4, lines 
36-56; col 6, lines 47-55; and col 1 1, lines 10-24). 
Claims 15 and 32: 

Sampson further discloses wherein the interface mechanism includes a security 
provider interface (Fig 2; col 4, lines 36-56; col 6, lines 47-55; and col 1 1, lines 10-24). 
Claims 16 and 33: 

Sampson further discloses wherein the interface mechanism is included as a 
plug-in into the resource interface (col 6, lines 47-55). 
Claims 17 and 34: 

Sampson further discloses wherein the security service further makes a decision 
on whether to permit or deny a response to the access request from the protected 
resource to the client (col 6, lines 21-36). 

Claims 2, 4, 13, 15-16, 19, 21, 30, and 32-33 are rejected under 35 U.S.C. 
103(a) as being unpatentable over Sampson et al (US 6,339,423) in view of Sharma 
(US 7,089,584). 
Claims 2 and 19: 

Sharma further discloses wherein the application container of claims 1 and 18 
reads an application deployment description and registers the application deployment 
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description with the security service (col 6, lines 53-62; col 8, line 62-col 9, line 2; col 10, 
line 21-24; and col 18, lines 1-12). 
Clajms 4 and 21: 

Sampson and Sharma further disclose wherein the application container is a 
Web Application container (Sampson: Fig 2, item 210 and Sharma: col 8, lines 16-20). 
Claims 13 and 30: 

Sampson further discloses wherein the resource interface includes an interface 
mechanism to pass access requests to or from a protected resource (Fig 2; col 4, lines 
36-56; col 6, lines 47-55; and col 11, lines 10-24). Sharma also discloses the limitation 
(Figs 1A-1C). 
Claims 15 and 32: 

Sampson further discloses wherein the interface mechanism includes a security 
provider interface (Fig 2; col 4, lines 36-56; col 6, lines 47-55; and col 11, lines 10-24). 
Sharma also discloses the limitation (Figs 1A-1C). 
Claims 16 and 33: 

Sampson further discloses wherein the interface mechanism is included as a 
plug-in into the resource interface (col 6, lines 47-55). Sharma also discloses the 
limitation (Figs 1A-1C). 
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Claims 5-11, 22-28, and 40 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Sampson et al (US 6,339,423) in view of Sharma (US 7,089,584) and 
further in view of Hummel, Jr. et al (US 6,584,454). 
Claims 5 and 22: 

Sampson further discloses the security service further includes a plurality access . 
decision mechanisms for defining an access policy (Fig 2, items 240, 260, 280, and 220 
and col 8, lines 52-59). 

Sampson does not explicitly disclose each of the plurality of access decision 
mechanism can determine its own contributory decision to permit, deny, or abstain from 
the access request. However, Hummel discloses each of a plurality of access decision 
mechanism can determine its own contributory decision to permit, deny, or abstain from 
the access request (col 3, lines 4-20). 

At the time applicant's invention was made, it would have been obvious to one of 
ordinary skill in the art to further modify Sampson's invention according to the limitations 
recited in claims 5 and 22 in light of Hummers teachings. One skilled would have been 
motivated to incorporate Hummel's teachings because it would provide for a system that 
load balances the decision for resource access. This would allow faster access to 
resources when a user requests the resource. 
Claims 6 and 23: 

Hummel further discloses wherein the security service further includes an access 
controller for transferring the access request to the plurality of access decision 
mechanisms (col 3, lines 39-42), and for combining the contributory decisions into an 
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overall decision by the security service to permit or deny the access request (col 3, lines 
39-60). 

Claims 7 and 24: 

Hummel further discloses wherein one or more of the plurality of the access 
decision mechanisms represent a business function related access policy (col 3, lines 
50-60).. 

Claims 8 and 25: 

Sampson does not explicitly disclose wherein access decisions may be added to 
the security service to reflect changes in the access policy. However, official notice is 
taken that the limitation was well known in the art at the time applicants invention was 
made because it was well known to be able to replace or update security rules for a 
security system. At the time applicant's invention was made, it would have been 
obvious to one of ordinary skill in the art to further modify Sampson's invention 
according to the limitations recited in claims 8 and 25. One of ordinary skill would have 
been motivated to do so because it would allow the security system to have the most 
updated security rules. 
Claims 9 and 26: 

Sampson further discloses wherein the plurality of the access decision 
mechanisms are used to define the entitlements for the client to access the protected 
resource (col 3, lines 20-25 and col 8, lines 52-59). 
Claims 10 and 27: 
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Hummel further discloses wherein a deny or abstain by any one of the plurality of 
access decision mechanisms causes the security service to deny the access request 
(col 12, lines 25-32). 
Claims 11 and 28: 

Hummel further discloses wherein an abstain by any one of the plurality of 
access decision mechanisms does not cause the security service to deny the access 
request (col 3, lines 6-11). Note that if the resource/application is open, then the 
agency model makes a decision to allow access while the policy server is not consulted 
about the access thereby abstaining from a decision. 
Claim 40: 

Sampson does not explicitly disclose wherein entitlements comprises at least 
one of business logic and functionality entitlements. However, Hummel discloses the 
limitation (col 3, lines 39-60). At the time applicant's invention was made, it would have 
been obvious to one of ordinary skill in the art to further modify Sampson's invention 
according to the limitations recited in claim 40. One skilled would have been motivated 
to incorporate Hummel's teachings within Sampson's for the same reasons given in 
claim 5. 
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Claims 12 and 29 are rejected under 35 U.S.C. 103(a) as being unpatentable 
over Sampson et al (US 6,339,423) in view of Sharma (US 7,089,584) and further in 
view of Hummel, Jr. et al (US 6,584,454) and Wiederhold (US 6,226,745). 
Claims 12 and 29: 

Sampson does not explicitly disclose wherein the security service further 
includes an audit mechanism for auditing the determinations of the plurality of access 
requests. However, the limitation is disclosed by Wiederhold (col 5, last paragraph and 
col 6, lines 1-2). 

At the time applicant's invention was made, it would have been obvious to one of 
ordinary skill in the art to further modify Sampson's invention according to'the limitations 
recited in claims 12 and 29. One skilled would have been motivated to do so because it 
would allow policies that are too stringent or too liberal to be recognized and the system 
can be adjusted accordingly (Wiederhold: col 3, lines 61-64). 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). . 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
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mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Ponnoreay Pich whose telephone number is 571-272- 
7962. The examiner can normally be reached on 9:00am-4:30pm Mon-Thurs. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Kim Vu can be reached on 571-272-3859. The fax phone number for the 
organization where this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 




